Populi

Archive for the ‘Security’ Category

Heartbleed

Tuesday, April 8th, 2014

On Monday, April 7, security researchers published information about a bug in the OpenSSL cryptographic software library. OpenSSL powers the encryption used to secure the internet—everything from websites to instant messaging to virtual private networks. The bug, called Heartbleed, could affect about 2/3 of encrypted internet traffic.

As of now, all Populi servers have been patched against this vulnerability, and we have no reason to believe that any of our clients’ data was compromised. Due to the critical nature of this issue, we performed the patching during business hours today—rather than after hours as we normally do—so our apologies to anyone who was affected! We’ll continue to monitor the situation and post further updates if necessary.

To the best of our knowledge, Populi has been locked-down against this bug and all data is secure.

IE8 going the way of the dodo on January 1, 2013

Thursday, November 15th, 2012

We’re dropping support for Internet Explorer 8—as of January 1, 2013, Populi will no longer support that very troublesome, outdated browser.

We cut IE7 loose a few months ago (after its share of Populi logins fell below 3%), together with old versions of other browsers like Firefox 3 and Safari 3. IE8’s share is currently below 5% and is falling; more people access Populi via Safari on iPad than IE8.

The takeaway: it’s time for IE8 users to update your browser! New browser versions are simple to get, more secure, and incorporate improvements in speed, reliability, and compatibility with web standards. Another benefit: it helps us focus on moving Populi forward. Few things grate on us more than hacking our code to deal with some sociopathic element in IE8—especially when we could spend that time building new features or improving current ones.

So, hotfoot on over to one of these links and get updated!

Firefox

Safari

Chrome

And if you really need to run some version of IE, see what version Microsoft will let you download in your version of Windows.

Still using Internet Explorer?

Tuesday, September 18th, 2012

Yesterday, Microsoft reported on a security vulnerability in versions 6, 7, 8, and 9 of Internet Explorer that “could allow remote code execution”, which is a nicer way of saying, “could allow someone to take over your computer”.

To address the vulnerability, they list a number of complicated “workarounds” and “suggested actions”, all of which seem to include continued use of Internet Explorer while it has a serious, un-patched security hole.

Since around 23% of our users choose to access Populi from Internet Explorer, we thought we’d offer a suggestion of our own: switch to Google Chrome or Mozilla Firefox.

Correct horse battery staple

Thursday, June 21st, 2012

Here’s a fine comic from xkcd that made the rounds a few months ago. We confess to being guilty as charged as to encouraging users to concoct passwords like Tr0ub4dor&3—while then telling everyone not to post it on a sticky note on your monitor. Passwords like correct horse battery staple are certainly much simpler to remember. Of course, we do require an uppercase letter and a number somewhere in your password, but that should be easy enough to work into a more memorable password.

Here’s a much more technical article going into the why’s and what’s and how’s of such passwords from the Dropbox tech blog.

Aaaand, if you’re so inclined, log in to Populi, go to your profile’s Info tab, click the gear, and select Reset Password…

Oppose SOPA and PIPA

Monday, January 16th, 2012

On Tuesday, January 24th, the U.S. Senate is slated to vote on the Protect Intellectual Property Act (PIPA). Together with its counterpart bill in the House of Representatives, the Stop Online Piracy Act (SOPA)*, it seeks to curtail online bootlegging from overseas websites via several means:

  • It gives the U.S. government the power to force internet service providers to block access sites that traffic in bootlegged (or, in the words of the bill’s proponents, pirated) content.
  • The government could also sue search engines and other websites to prevent them from linking to such sites.
  • U.S. credit card companies and advertisers would be required to cancel their accounts with those sites so as to cut off their sources of funding.
  • It prescribes jail sentences for users who post copyrighted works or links to infringing sites.

We here at Populi oppose these two bills for a number of reasons. Our chief concerns:

  • They extend considerable powers to the U.S. government to shut down sites that the beneficiary corporations consider “infringing”.
  • They allow corporations to sue the owners of such “infringing” sites.
  • The bills are draconian: the government could block sites like Facebook and Twitter if just one user posted just one link to an infringing site.
  • The smallest infraction runs afoul of the bill’s harshest measures.
  • Perhaps worst of all: the bills destabilize the Domain Name System (DNS), one of the key methods used to make the internet secure and at all trustworthy.

This video explains what’s at stake…

We care about the internet—it lets us serve our customers and earn a living, after all—and PIPA and SOPA are foolish, short-sighted pieces of legislation that will do great harm to it.

Read more about these bills at the Electronic Frontier Foundation and americancensorship.org and contact your Senators to encourage them to oppose PIPA.

* SOPA was shelved on January 16th, which means that the House won’t vote on it. It is currently very wounded, but not dead.

Get to know us! Here’s Patrick Swanson…

Wednesday, August 10th, 2011

Six feet, eight inches tall, given to doing pull-ups on the office rafters, carrying the upper-body strength of a construction crane, Patrick Swanson nevertheless has health issues. They become particularly onerous during late Summer and early Autumn of every year. He can’t sleep past 4 AM. His appetite slumbers for long periods, then rages out of control. His rhythms disrupted, he loses focus on what’s before him, obsessing instead over the “silvery flashes” darting through his mind.

A metabolic problem? Restless leg syndrome? Mental issues? No. Patrick has Chronic Annual Re-occuring Steelhead Fever, which he first contracted at age 10 backtrolling a wiggle-wart on the Columbia River in eastern Washington state.

“I still remember the size, too: seven pounds, thirty inches long,” Patrick says, looking distant, seeing silvery flashes. “When I say it out loud, it sounds like giving birth to a child, doesn’t it?”

The only locally-available palliative for CARSF is found in the sterling waters of Idaho’s Clearwater River, about an hour to the south of the Populi office. A four-hour early-morning round trip takes the edge off the shakes and pangs just enough to spend the rest of the day holed up here, where Patrick earns his health insurance as Populi’s System Administrator and chief bug exterminator.

As bug-stomper, he forms an integral part of our Customer Support crew. When a customer says, “This ain’t working,” after Populi Support verifies it, Patrick hears about it and laces up his size 16’s. As System Administrator, Patrick’s workday can be fairly catch-all. He sets up new servers, keeps up with how they’re performing, upgrades background software, constructs security bulwarks, runs database queries, and a dozen other things. He does all this by tapping on a keyboard, looking at things on monitors, and through the sheer force of intimidation via his flawless Arnold Schwarzenegger impersonation.

The keyboard and monitor stuff he learned while earning his Computer Science degree at the University of Idaho, which developed and honed his considerable security chops. “They have this thing called RADICL—Reconfigurable Attack-Defend Instructional Computing Lab. It’s an air-gapped computer network that’s not connected to the external internet in any way. Basically, it’s an instructional facility for computer security and a free-for-all hacking playground.” If you think that’s esoteric, another part of his education involved “drawing state diagrams for finite non-deterministic automation systems”. In the midst of all this, Patrick remained focused on becoming employable post-college and developed a focus on solving real problems. Like the rest of us here, he worked a few years at EMSI on security and systems administration before cutting loose to help craft Populi into a going concern.

Thus, the computers. The Schwarzenegger impression originated with Patrick’s older brother Lucas, whose predilection for weightlifting molted into a robust appreciation for the acting chops of the former Governor of California. The brothers diligently studied the man’s ouevre, repeating lines of dialogue until they mastered the original Conan the Barbarian’s certain je ne sais quoi. Patrick, in the process, more than came into his own: “Now, when we’re together, it sounds like a troupe of Arnolds are in the room.”

The Swanson boys grew up in southeast Washington’s Tri-Cities area near their father’s groundwater remediation work at the Hanford nuclear site. Their sisters—including Patrick’s twin (she looks nothing like him)—ardently pursued music while the boys were outside stalking game through the sagebrush and dry hills. Then came that day at age 10 when he saw the flopping seven-pounder at his feet on the edge of the Columbia River. When the fever overtook him.

Since then, his search for a cure has been admittedly tepid. Asked how he copes, he simply starts speaking: “The biggest steelhead I caught was around 15 pounds. Not huge but a decent fish. The steelhead on the Clearwater are B-run steelhead which means they’re a bigger strain. They stay in the ocean an additional year before coming up to spawn—as opposed to the smaller A-run.

“But I’m still searching for that elusive, 20+ pound steelhead,” he concludes. Then his forehead twitches.

Google Apps dropping support for some browsers August 1

Friday, June 10th, 2011

Google recently announced that they’ll be dropping Google Apps support for older browsers on August 1:

As of August 1st, we will discontinue support for the following browsers and their predecessors: Firefox 3.5, Internet Explorer 7, and Safari 3. In these older browsers you may have trouble using certain features in Gmail, Google Calendar, Google Talk, Google Docs and Google Sites, and eventually these apps may stop working entirely.

If there’s one thing we always jump up and down about, it’s that you should keep your browser updated. Browser updates improve security and functionality, and as more and more of our work moves to the web, this is more and more of a crucial issue. You could say we’re pleased with Google’s decision in this area because of the incremental improvement it may help bring to the web as a whole.

So, if you’re using Google Apps for Education (with which we integrate, in case you didn’t know), you’ll need to make sure you’re running an up-to-date version of a supported browser on August 1. That’s about seven weeks away! To give you a leg up:

(Since we’re giving you a leg up, we’re not providing a link to download Internet Explorer… though we do support IE8 and IE9)

Firesheep causes a stir

Tuesday, November 16th, 2010

A few weeks ago, one Eric Butler, a freelance web developer and security researcher from Seattle, released a Firefox extension called Firesheep. Firesheep allows the user to hijack HTTP sessions transmitted over unsecured wireless networks. In other words, someone can walk into a coffeeshop, open their laptop, and via nothing more than a public wifi connection, find other patrons and log in to their accounts on sites like Facebook without a username or password. Firesheep is ridiculously simple to use; with three or four clicks the user can log in as anyone else using that wifi connection—all without the victim ever suspecting a thing.

Butler released Firesheep to bring attention to a very common, basic security flaw that’s baked-in to many popular websites and services. In his words:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.

The release of Firesheep—which was downloaded over 100,000 times within 24 hours of its release*—preoccupied the tech press for days. A big draw was its focus on popular sites like Facebook, Twitter, Foursquare, Flickr, Tumblr, and Yelp, all of which broadcast sensitive personal information despite their built-in “privacy controls”. Hand-wringing over the ethics of releasing such a tool ensued; others wondered aloud whether it was even legal to do so.

But some were happy to see Firesheep get out in the wild. The program, as they pointed out, merely utilized an already widely-exploited security issue. Formerly, you had to be a hacker or a nerd to hijack HTTP sessions, or at least willing to spend five minutes with Google to find tools to help you. Firesheep made it simple enough for nearly anyone to try it; the press it received no doubt buoyed its popularity. Butler’s goal, of course, was to force this security issue into the mainstream. “The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.”

When will Firesheep no longer work at all? To summarize what Butler and others have been saying, that day will come when websites properly and widely adopt the HTTPS protocol. HTTPS adds a layer of encryption to your communications, protecting them from eavesdroppers and thieves—even on public wifi connections. Because of the extra computing involved, HTTPS is more intensive than HTTP; thus far, it has been confined largely to online banking, credit card transactions, and occasional sites like Gmail. But in terms of cost and engineering, computing is at the point now where HTTPS can be broadly implemented at a reasonable effort.**

If we were asked to pick sides on this, we’d side with Butler.

Populi has always used industry-standard 128-bit SSL encryption for every last communication between your computer and our servers. If you’re using Populi over coffeeshop wifi, HTTP-hijackers won’t be able to get anywhere near your session, no matter what tools they’re using. But we’ll never simply rest on this encryption method. Perfect security, as we’ve repeated before, is a moving target. With all the interest hackers have in the juicy hunks of personal data colleges keep track of, they’re gonna keep trying. Consequently, we would say that our top security features are more cultural than technological. Quite simply, we’re dedicated to the safety of your data, your right to access it, and your right to keep other people out of it. In other words, we’re dedicated to staying on our feet.

*It’s well on its way to 800,000 as of this writing.

**If you’re looking to guard yourself against HTTP-hijacking, tools like HTTPS Everywhere can help (as long as you’re visiting sites that have the protocol as an option).

Security: Technology Can Only Go So Far

Thursday, November 12th, 2009

When it comes to security, we would happily agree with the 37signals team’s recently-adopted dictum, “Perfect security is a moving target.” Any company that thinks and says otherwise has another thing coming—and so do their customers, unfortunately.

The first page of this Campus Technology article describes what’s at stake: colleges collect “more sensitive data about students than a Fortune 500 company does about customers.” The article goes on to describe why this is such a problem at the University of Nebraska: (more…)

What happens to my password?

Tuesday, September 22nd, 2009

We hash it. Next question?

Well, what’s hashing?

Hashing a password involves shoving it through a one-way algorithm that makes it incomprehensible and indecipherable. Here’s what happens: (more…)